Pages:
Author

Topic: I'm dumping Nxt and here's why you should too - page 2. (Read 21314 times)

hero member
Activity: 658
Merit: 501
After the damage is done? Not very smart.

Its being done before and after. Are you suggesting there is no value in investigating mistakes or crimes after they happen?

Why reproducibility is required?

That is one method, amongst many, in our tool chest for auditing code.
legendary
Activity: 2142
Merit: 1010
Newbie
Than we can scrutinize and investigate to validate. Additionally, that was one of the original criticisms of NxT that Jeff mentioned-

After the damage is done? Not very smart.


“What is necessary, for NXT or any other crypto-finance software, is to prove independent reproducibility. The next step is to proactively have developers and community members cross-check each other, to make sure the build produced is the same for all. This helps ensure that the release manager is not under duress, unknowingly infected with malware, or corrupt. No security solution is perfect, but it raises the bar significantly. You should never trust just one person to produce release binaries, in any crypto-finance project.  That’s called a Single Point of Failure, and it is easy to attack such a narrow victim vector.”
[/quote]

Why reproducibility is required?
hero member
Activity: 658
Merit: 501

So you agree in an utopian fantasy world AND in the real world?

No, I agree with you conceptually if that reality existed, but it doesn't.

Well, so what happened to Mark Karpeles aka CEO of Mt.GOX ? He is still a free man and no one is going to lynch him ? Good that we know him right...

First of all, the legal system of the state is usually slow and inept at bringing justice. The investigators just released their preliminary reports and he still might find jail time.

Secondly, regardless if the state is effectual or not there is a another type of justice which is immediately brought to light with frauds like Josh Garza and Mark Karpeles. They have to hire body guards , they have to spend a lot of resources and forever fear that retribution will be around the corner, they are socially ostracized, they will have a really hard time with any future business pursuits or contracts. Their credibility is shot.

With a pseudonym you aren't putting much on the line. Once you commit the fraud or fuck up , you can just create a new persona. Do you really believe that there are separate dev teams for all 700+ pump and dump scamcoins ? No, of course not, there are anonymous devs recreating new scams and ponzis when the last one folds all the time.

If Gavin commits some malicious code to steal bitcoin's in the next core release we can go after him.

No, he will say that the key was compromised and he didn't know about that.

Than we can scrutinize and investigate to validate. Additionally, that was one of the original criticisms of NxT that Jeff mentioned-

Quote from: Jeff Garzik
“What is necessary, for NXT or any other crypto-finance software, is to prove independent reproducibility. The next step is to proactively have developers and community members cross-check each other, to make sure the build produced is the same for all. This helps ensure that the release manager is not under duress, unknowingly infected with malware, or corrupt. No security solution is perfect, but it raises the bar significantly. You should never trust just one person to produce release binaries, in any crypto-finance project.  That’s called a Single Point of Failure, and it is easy to attack such a narrow victim vector.”

https://www.cryptocoinsnews.com/bitcoin-core-developer-jeff-garzik-believes-nxt-is-a-scamcoin/

NxT has a single point of failure , while the bitcoin core team cross checks each other with each build. Additionally, Bitcoin has multiple implementations interacting with the blockchain, so you don't even have to trust Gavin or the rest of the core team.

What I have noticed you doing repeatedly is making a shifting the sands or moving the goal posts logic fallacy by repeatedly discussing flaws or weaknesses within the improvements we are suggesting instead of realizing what any security researcher knows that nothing is 100% secure and we can only make attempts at increasing the levels of security.




legendary
Activity: 2142
Merit: 1010
Newbie
If Gavin commits some malicious code to steal bitcoin's in the next core release we can go after him.

No, he will say that the key was compromised and he didn't know about that.
legendary
Activity: 1225
Merit: 1000
BULLSHIT. Code quality is the most important criterion of a dev. Nice try evading an argument.

Did I ever state otherwise?

Yes, looks so to me:

Quote
Quote
the background of the developers can give us some understanding of their technical proficiency -> So does the quality of the code they write
Yes, I agree with this in a utopian fantasy developer world. Completely, ignoring reality, and my previous comments.

So you agree in an utopian fantasy world AND in the real world?
hero member
Activity: 658
Merit: 501
First of all, what is the truth 33.3% anonymous devs or 66.66% anonymous devs?

I don't know exact numbers, only 3 devs were anonymous and I saw somewhere that Nxt had 9 devs. Let's assume that there are only 3 devs and all of them are anonymous. What does it change?

Doesn't change anything, NxT should still be less trusted than Bitcoin, and specifically because it has a mostly anonymous dev team and core maintainer(one reason amongst others). There should be higher standards with FinTech because you are dealing with peoples life savings. Bitcoin still needs a lot of work before I can suggest people use it 100%. NxT is in a completely different category of risk.

If Gavin commits some malicious code to steal bitcoin's in the next core release we can go after him. If Jean-Luc does this with NxT than finding him will be more difficult. It is the same reason I warn people to not deposit any funds in Bitcoin banks and exchanges with anonymous owners. Huge red flag!

Additionally, bitcoin developer have social consequences if they make mistakes, their real reputation is on the line, not some pseudonym reputation. There is a day and night difference between the two.... and frankly me having to be so explicit with what should be obvious is a little disconcerting.

You cannot hide behind the fact that the source code is included within each release and the responsibility lies within the user to do audits and compile from source. That isn't realistic for 99.9% of users.
legendary
Activity: 2142
Merit: 1010
Newbie
First of all, what is the truth 33.3% anonymous devs or 66.66% anonymous devs?

I don't know exact numbers, only 3 devs were anonymous and I saw somewhere that Nxt had 9 devs. Let's assume that there are only 3 devs and all of them are anonymous. What does it change?
hero member
Activity: 658
Merit: 501
Now you see why a claim that "non-anon" devs are better is a nonsense. If Nxt had 1000 devs then laws of statistics could be applied (even if your claim was true), Nxt has only 3 anon devs and anyone claiming that it lowers quality of the code says a silly thing, statistics simply doesn't work for small numbers.

First of all, what is the truth 33.3% anonymous devs or 66.66% anonymous devs?

Anon Devs: we have around 9 core (ish) devs, 3 of whom are non-anonymous.
Not perfect, but, hey, it's crypto.

Secondly, you are presenting a false dichotomy again. Anonymous devs are fine, but with Fintech the majority of core devs and the project maintainer should be transparent.

I was thinking about excatly that all the time! It's quite subtle. (not pretending that my arguments are flawless)

Perhaps its nuanced because I am more interested in the truth and am open to admitting where I am wrong (like I have done multiple times).

Nxt was open-source since day 0. Unobfuscated Java binary = source code. Google around and you will find several repositories with decompiled source code. It repeats the original source code with 99% matching (the rest 1% is caused by empty lines).

While not entirely true, I agree that this attack was over-reaching because it isn't fair comparing the transparency of the development process of Bitcoin (in this context) with NxT. Bitcoin has already enough of a network effect where it doesn't need to worry so much about clones ripping off their code. Nxt had good reasons to with-hold code and still has good reasons not to show all in development in progress. I can see this is slowly changing as well with NxT growing.
The true shift is if or when many merchants start using NxT so it could start to transform from being mostly a speculative instrument to a useful one. At this point NxT devs should be more comfortable showing unreleased code.
hero member
Activity: 658
Merit: 501
Funny that you don't have to cite articles with scientific proof when you raise your concerns that to having known devs is better than having anon devs  Wink

All your facts are subjective at best. It's not clear how they contribute to "to have known devs is better than anon devs"

Scientific proof was not requested, what I asked for was much lower bar.

When an comparative analysis cannot be made than I refer you to refuting my original statements with logical rebuttals.

subjective. If he was not a liberal statist you would trust him and not be on guard?

No, being a paranoid developer, I would trust no one but knowing the motivations, background, and politics of fellow devs allows me to focus and scrutinize certain aspects of others work more which is helpful whether it involves watching for malicious code or simple being on guard for potential bugs when someone contributes code out of their area of expertise. To expect a full and complete security audit with every change is unrealistic.

BULLSHIT. Code quality is the most important criterion of a dev. Nice try evading an argument.

Did I ever state otherwise?

But the best is, we have known devs, but since some of them are anon, it's all bad, right?  Wink

another false dichotomy.
legendary
Activity: 2142
Merit: 1010
Newbie
The reason why this is so important is decentralizition, which can't be achieved by private code.....

Nxt was open-source since day 0. Unobfuscated Java binary = source code. Google around and you will find several repositories with decompiled source code. It repeats the original source code with 99% matching (the rest 1% is caused by empty lines).
legendary
Activity: 2142
Merit: 1010
Newbie
It has nothing to do with "200 lines per file max" rule but about documentation and writing code that is more readable and modular. Satoshi's code was written for himself and was very tight without enough documentation. It is bad enough having to work on a development project with a few other people and one asshole programmer doesn't follow normal conventions let alone a world wide decentralized collaborative project.  

Are you a programmer, btw?
legendary
Activity: 938
Merit: 1000
BTC | LTC | XLM | VEN | ARDR
Source code? Really??? Who cares?

Ripple had this debate years ago. They have top cryptographers working for them. They made the decisions (as close to perfect as possible) and they've gone and built it.

You guys are still arguing among yourselves and getting all pedantic about what it and isn't in the source code. Sigh.

The energy should not be on the degree of open-source purity and/or technical disagreements, but on winning hearts and minds.

Proof of Beluga Caviar

Nice try  Cheesy This is a sign of madness, you know...

The reason why this is so important is decentralizition, which can't be achieved by private code.....
hero member
Activity: 658
Merit: 501
This is a common problem of all programmers working on big projects - they believe that writing code by sticking to the rule "200 lines per file max" is the only correct way. As the result we have heavy software with millions lines of trash that requires more and more GHz to work without a lot of lagging.

I saw these 4 files written by Satoshi - nothing that could be used to call the code a bad written. Just old school, without things like
Code:
int i = 3; // Set value of 'i' to 3

It has nothing to do with "200 lines per file max" rule but about documentation and writing code that is more readable and modular. Satoshi's code was written for himself and was very tight without enough documentation. It is bad enough having to work on an inhouse development project with a few other people and one asshole programmer doesn't follow normal conventions let alone a world wide decentralized collaborative project.  
legendary
Activity: 2142
Merit: 1010
Newbie
Nice try  Cheesy This is a sign of madness, you know...

Did you notice that his posts are very short now? Like he is scared of speech analysis.  Cheesy
hero member
Activity: 574
Merit: 500
Source code? Really??? Who cares?

Ripple had this debate years ago. They have top cryptographers working for them. They made the decisions (as close to perfect as possible) and they've gone and built it.

You guys are still arguing among yourselves and getting all pedantic about what it and isn't in the source code. Sigh.

The energy should not be on the degree of open-source purity and/or technical disagreements, but on winning hearts and minds.

Proof of Beluga Caviar

Nice try  Cheesy This is a sign of madness, you know...
legendary
Activity: 2142
Merit: 1010
Newbie
Well the evidence can directly be obtained by reviewing the source code itself and the subsequent changes.

Many well versed programmers have confirmed the shortcomings of Satoshi's code so it isn't just my opinion:

http://diginomics.com/who-is-satoshi-nakamoto/

Quote
Based on analysis from other programmers who worked on the source code, it does not appear to be written by someone who is well versed in professional programming but rather has a strong academic or theoretical knowledge of cryptography.

Quote

He was the oracle to which we would go for questions about the system, but he rarely followed standard engineering practices, like writing unit or stress tests or any of the standard qualitative analysis that we’d perform on software. Several things had to be disabled almost immediately upon public release of Bitcoin because they were obviously exploitable.

http://www.dailydot.com/opinion/nakamoto-what-do-we-know/

Quote

 “Satoshi’s style of writing code was old-school. He used things like reverse Polish notation.”

In addition, the code was not always terribly neat, another sign that Nakamoto was not working with a team that would have cleaned up the code and streamlined it.

“Everyone who looked at his code has pretty much concluded it was a single person,” says Andresen. “We have rewritten roughly 70 percent of the code since inception. It wasn’t written with nice interfaces. It was like one big hairball. It was incredibly tight and well-written at the lower level but where functions came together it could be pretty messy.


Now we could begin to argue about the stylistic preferences with programming notation but any competent programmer who has worked collaboratively on a development project can attest to Satoshi's programming style is the exact opposite of what is desired, especially for a decentralized worldwide open source project.

This is a common problem of all programmers working on big projects - they believe that writing code by sticking to the rule "200 lines per file max" is the only correct way. As the result we have heavy software with millions lines of trash that requires more and more GHz to work without a lot of lagging.

I saw these 4 files written by Satoshi - nothing that could be used to call the code a bad written. Just old school, without things like
Code:
int i = 3; // Set value of 'i' to 3
legendary
Activity: 1225
Merit: 1000
PS: I really enjoy our convo Smiley. Guys like you serve their posts in "soft" form and quite often agree with the opponent but at some point intention to push the agenda leads them to a trap of logic flaws that become obvious sooner or later. Let's continue, if you wish.

I was thinking about excatly that all the time! It's quite subtle. (not pretending that my arguments are flawless)
hero member
Activity: 756
Merit: 506
Source code? Really??? Who cares?

Ripple had this debate years ago. They have top cryptographers working for them. They made the decisions (as close to perfect as possible) and they've gone and built it.

You guys are still arguing among yourselves and getting all pedantic about what it and isn't in the source code. Sigh.

The energy should not be on the degree of open-source purity and/or technical disagreements, but on winning hearts and minds.

Proof of Beluga Caviar
sr. member
Activity: 280
Merit: 250
Source code? Really??? Who cares?

Ripple had this debate years ago. They have top cryptographers working for them. They made the decisions (as close to perfect as possible) and they've gone and built it.

You guys are still arguing among yourselves and getting all pedantic about what it and isn't in the source code. Sigh.

The energy should not be on the degree of open-source purity and/or technical disagreements, but on winning hearts and minds.
legendary
Activity: 2142
Merit: 1010
Newbie
Do you understand the difference between a comparative analysis and simply stating anecdotes of security breaches?

Now you see why a claim that "non-anon" devs are better is a nonsense. If Nxt had 1000 devs then laws of statistics could be applied (even if your claim was true), Nxt has only 3 anon devs and anyone claiming that it lowers quality of the code says a silly thing, statistics simply doesn't work for small numbers.


A good argument would be citing a research article that discussed the propensity in security breaches of open source projects that had anonymous developers vs non-anonymous ones, or at minimum if you cannot cite this than at minimum cite some large long-term open source projects with anonymous developers that have better security than your average open source project with known devs.

No need, I already busted the issue 5 lines above. Now we came to the agreement, I believe?


PS: I really enjoy our convo Smiley. Guys like you serve their posts in "soft" form and quite often agree with the opponent but at some point intention to push the agenda leads them to a trap of logic flaws that become obvious sooner or later. Let's continue, if you wish.
Pages:
Jump to: